# Western Logistics and Tech Firms Targeted by Russia's APT28

A growing threat to global security has emerged as dozens of Western logistics and tech firms delivering aid to Ukraine have been targeted by a sophisticated Russian state-backed cyber-espionage campaign. According to allied security agencies, the companies involved operate across various sectors in the US and European countries, including defense, IT services, maritime, airports, ports, and air traffic management systems.

The Russian hacking group responsible for these attacks is APT28 (also known as Fancy Bear, Pawn Storm, Sednit, Sofacy, or Iron Twilight), a well-known entity within the GRU's military unit 26165. This group has been associated with numerous high-profile cyber-espionage activities in recent years.

Over the past two years, security agencies have warned of increased targeting of these companies by APT28. The group's tactics, techniques, and procedures (TTPs) include reconnaissance on critical infrastructure components, as well as attempts to gain access to industrial control systems for railway management.

In one notable instance, a joint cybersecurity advisor from the NSA and its allies revealed that the actors had conducted reconnaissance on at least one entity involved in the production of industrial control system (ICS) components for railway management. However, a successful compromise was not confirmed.

Security experts stress the importance of recognizing the elevated threat posed by APT28 to executives and network defenders at technology and logistics companies. To mitigate this risk, they recommend taking immediate action to protect themselves, including:

* Increasing monitoring * Using multi-factor authentication with strong factors (such as passkeys) * Ensuring security updates are applied promptly to manage vulnerabilities

Cato Network's chief security strategist, Etay Maor, emphasizes the need for organizations to adopt a zero-trust approach, likening their network to a castle. "We focused on protecting the outer walls in the past," he says. "But hackers are finding ways inside. We need to build smaller, internal walls within the castle, so if one area is breached, the damage is contained."

Furthermore, APT28 has targeted private IP cameras and municipal traffic cameras along Ukraine's border near crossings, military installations, and rail stations to track the movement of materials into the war-torn country.

In a large-scale campaign that began as early as March 2022, over 10,000 devices were targeted in Ukraine, Hungary, Romania, Slovakia, Poland, and other countries. The group used the Real Time Streaming Protocol (RTSP) servers hosting IP cameras primarily located in Ukraine to enumerate devices and gain access to their feeds.

The targeting of IP cameras for intelligence collection purposes is a tactic generally associated with state-sponsored adversaries like Iron Twilight. As an intelligence provider to the Russian military, this access would have assisted in understanding what goods were being transported, when, in what volumes, and support kinetic targeting.

"The targeting of IP cameras is interesting," says Rafe Pilling, director of threat intelligence at Sophos Counter Threat Unit. "It's a tactic that suggests APT28 anticipates a physical effects aspect to their operations."

As the global security landscape continues to evolve, it is essential for organizations to remain vigilant and take proactive measures to protect themselves against sophisticated cyber threats like APT28.